ossim - AlienVault

4.2 Data Flow
To give a better understanding of how each product is integrated, we offer the following step-bystep
description of data flow beginning with the generation of an event:
1. Events are processed by the detectors until an alert is produced in response to
identification of a pattern or anomaly.
2. If necessary, alerts are processed by the consolidators before being sent. The
consolidators send alerts in groups to occupy a minimum of bandwidth.
3. The collector receives alerts using various open communication protocols.
4. The parser normalizes and saves them in the event database.
5. The parser also prioritizes alerts according to the security policy defined in the
framework and information in the systems inventory about the system under attack.
6. The parser assesses the immediate risk represented by the alert and sends an alarm
to the control panel as necessary.
7. Prioritized alerts are sent to each correlation process, which updates their state
variables and eventually sends new alerts with more complete or reliable
information. These alerts are re-sent to the parser to be stored, prioritized, assessed
for risk, etc.
8. The risk monitor periodically displays the state of each risk index as calculated by
CALM.
9. The control panel shows the most recent alarms, updates the state of all the indices
which it compares to their thresholds, and sends out new alarms or performs the
appropriate actions as necessary.
10. From the control panel, the administrator can link and view all events occurring at the
time of the alert using the forensic console.
11. The administrator can also check the concurrent state of the machine involved using
the use, profile, and session monitors.
27